Hey Dan,
I've got two main sections in my agent.conf.
Each was cut/pasted from an original (default) ossec.conf for the particular
platform.
The Windows section has:
yes
But the Linux section didn't have any such section.
In the manager's ossec.conf, there some sections that define
c
No.
On Wed, Feb 23, 2011 at 9:30 PM, Joel Brooks wrote:
> hey gang,
>
> sorry for the quick double tap.. I was wondering if there's a way to
> dump an agent's config.
>
> since moving all my config into agent.conf on the central server, i
> can't tell how a particular agent is configured... I kno
I think it goes in the manager's ossec.conf
On Wed, Feb 23, 2011 at 9:22 PM, Joel Brooks wrote:
> hey gang,
>
> I'm working on my centralized management of ossec and it seems to be
> going well.
>
> However, it seems that since i centralized and moved all the
> configuration to agent.conf, my act
hey gang,
sorry for the quick double tap.. I was wondering if there's a way to
dump an agent's config.
since moving all my config into agent.conf on the central server, i
can't tell how a particular agent is configured... I know i can
compare the md5sum of the server and the agent using agent_con
hey gang,
I'm working on my centralized management of ossec and it seems to be
going well.
However, it seems that since i centralized and moved all the
configuration to agent.conf, my active response rules have stopped
working. (last entry in active-response.log is Feb. 21, last SSH
brute force
I'm using splunk and it beat everyone.
--
Sent from my iPhone
On Feb 23, 2011, at 3:18 PM, "dan (ddp)" wrote:
splunk comes closest.
On Wed, Feb 23, 2011 at 3:13 PM, Charles Profitt
wrote:
Dan:
Is there an alternative to WUI?
Charles Profitt, Sr. Network Technician, Pittsford Central Scho
OSSEC srv: v2.0
OSSEC clt: 2.5.1
I simply added this line to my ossec-agent.conf:
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
Also, restarted OSSEC processes at manager side after added new agents.
That way agent-control -l or -i id on manager side shows me whole info
about the client.
So the o
Hi carlopmart,
On Wed, Feb 23, 2011 at 4:05 PM, carlopmart wrote:
> Hi all,
>
> Last month, I have setup two OSSEC servers configured as a HA solution for
> several OSSEC agents. Until now all works ok. But now I need to use agent
> centralized configuration to simplify this structure. And i hav
Hi all,
Last month, I have setup two OSSEC servers configured as a HA solution for several
OSSEC agents. Until now all works ok. But now I need to use agent centralized
configuration to simplify this structure. And i have some questions:
- If I understand documentation about centralized age
- Original Message -
> On Wed, Feb 23, 2011 at 11:10 AM, --[ UxBoD ]--
> wrote:
> > - Original Message -
> >> Just set the frequency to one, so it will catch after 3 events
> >>
> >> thanks,
> >>
> >
> > Sorry Daniel that does not work :(
> >
> > [root@hids01 ~]# grep -c "1004
splunk comes closest.
On Wed, Feb 23, 2011 at 3:13 PM, Charles Profitt
wrote:
> Dan:
>
> Is there an alternative to WUI?
>
> Charles Profitt, Sr. Network Technician, Pittsford Central Schools
> BrainBench Certified - (Master)Microsoft Security | (Master)Storage Area
> Networks Concepts | (Master
Dan:
Is there an alternative to WUI?
Charles Profitt, Sr. Network Technician, Pittsford Central Schools
BrainBench Certified - (Master)Microsoft Security | (Master)Storage Area
Networks Concepts | (Master)Microsoft Vista Desktop Administration |
(Master)Macintosh OS X 10.4 Desktop Administratio
Hi Chad,
On Wed, Feb 23, 2011 at 3:08 PM, Chad Hammond
wrote:
> I see this and what I am understanding is I would get an alert if new files
> were created correct? I would also like an alert if files were deleted and by
> who.
>
You can get alerts for new files and for files being deleted (mov
I see this and what I am understanding is I would get an alert if new files
were created correct? I would also like an alert if files were deleted and by
who.
-Original Message-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Jason 'XenoPhage' Frisvol
Hi John,
This question is probably better asked on a splunk forum.
Perhaps:
http://answers.splunk.com/search?q=*nix
Basically you can install splunk on all of the systems you want to
monitor, install the *nix app, and configure these instances to
forward their info onto a central splunk install.
h
It's really weird... I'm scared to touch anything in ossec.conf now because
I'm afraid it'll break or something. Maybe I'm just really good at typos or
something!
On Wed, Feb 23, 2011 at 11:41 AM, dan (ddp) wrote:
> I'm not sure you need the no inside the
> block.
>
> For those that don't want
Thanks Dan...
Basically, I'm having OSSEC monitor logtailed output of a larger file (the
logtailed output is written to a file that I'm having OSSEC monitor). The
reason I'm doing this is because the larger file is so large and grows so
fast that OSSEC would end up using up a significant amount of
Hi Gytis,
On Wed, Feb 23, 2011 at 9:42 AM, Gytis Šukys wrote:
> http://pkgs.org/
>
> Btw. solved that problem, but now have another:
>
For the archives, how did you solve the problem?
Which version of OSSEC?
Did you restart the OSSEC processes on the manager after adding the agent?
> 2011/02/2
Hi Joel,
On Tue, Feb 22, 2011 at 9:19 PM, Joel Brooks wrote:
> Hi gang,
>
> I'm wondering if there's any tricks to getting ossec working when the
> server is behind a NAT.
>
> here's the case:
>
> i have some linode servers that i'd like to monitor with ossec.
> the ossec server is in the office
I'm not sure you need the no inside the
block.
For those that don't want to look them up:
5716
Multiple SSHD authentication failures.
authentication_failures,
5710
SSHD brute force trying to get access to
the system.
authentication_failures,
I've h
On Wed, Feb 23, 2011 at 2:29 PM, jplee3 wrote:
> So I've been trying to figure out how to get a custom attack detection
> script to play well with OSSEC AR. After some further testing, I
> noticed the following:
>
> - I can manually echo an attack message to the file that the OSSEC
> agent is moni
Here's some more useful information about frequency:
http://marc.info/?l=ossec-list&m=129736702512080&w=2
On Tue, Feb 22, 2011 at 5:42 PM, jplee3 wrote:
> Has anybody done much testing with the frequency and timeframe
> parameters in various rulesets?
>
> I'm trying to get it to work with SSH log
So I've been trying to figure out how to get a custom attack detection
script to play well with OSSEC AR. After some further testing, I
noticed the following:
- I can manually echo an attack message to the file that the OSSEC
agent is monitoring and analysisd appears to do it's job and report
the
On Wed, Feb 23, 2011 at 11:10 AM, --[ UxBoD ]-- wrote:
> - Original Message -
>> Just set the frequency to one, so it will catch after 3 events
>>
>> thanks,
>>
>
> Sorry Daniel that does not work :(
>
> [root@hids01 ~]# grep -c "10044 matched" output.txt
> 3
> [root@hids01 ~]# grep -c
Hi Charles,
On Wed, Feb 23, 2011 at 2:13 PM, Charles Profitt
wrote:
> I have a lighthttpd install of ossec-wui and the server does not display any
> alerts under latest events on the main page. In fact, the heading latest
> events does not show either. I have looked at the wiki and searched Googl
I have a lighthttpd install of ossec-wui and the server does not display any
alerts under latest events on the main page. In fact, the heading latest events
does not show either. I have looked at the wiki and searched Google with no
results. Can anyone point me in a direction.
Thanks,
Charles
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/23/2011 01:12 PM, Chad Hammond wrote:
> How do I setup file and folder monitoring on a directory?
>
> Any help with this would be greatly appreciated.
Add a syscheck section to your ossec.conf and/or agent.conf file :
7200
no
See here:
http://www.ossec.net/doc/manual/syscheck/index.html
On Wed, Feb 23, 2011 at 10:12 AM, Chad Hammond
wrote:
> How do I setup file and folder monitoring on a directory?
>
> Any help with this would be greatly appreciated.
>
>
>Chad Hammond
>Systems Administrator
> Northlan
How do I setup file and folder monitoring on a directory?
Any help with this would be greatly appreciated.
Chad Hammond
Systems Administrator
Northland Group
7831 Glenroy Rd
Edina, MN 55439
Direct 952-837-0625
--
- Original Message -
> Just set the frequency to one, so it will catch after 3 events
>
> thanks,
>
Sorry Daniel that does not work :(
[root@hids01 ~]# grep -c "10044 matched" output.txt
3
[root@hids01 ~]# grep -c "10061 matched" output.txt
0
10061 is the correlated rule and it nev
- Original Message -
> Nevermind I don't know what happened. There must have been a
> small
> typo somewhere. I was trying to get this working with Active Response
> and nothing would work. I at least got 5720 to trigger first and then
> ended up re-writing the AR in ossec.conf and test
http://pkgs.org/
Btw. solved that problem, but now have another:
2011/02/23 15:40:45 ossec-agentd(1218): ERROR: Unable to send message
to server.
2011/02/23 15:40:45 ossec-logcollector: socketerr (not available).
2011/02/23 15:40:46 ossec-agentd: WARN: Server unavailable. Setting
lock.
2011/02/23
Hey where did you get RPM package for ossec? Did you convert from
source ?
--
Sent from my iPhone
On Feb 23, 2011, at 7:34 AM, Gytis Šukys wrote:
Hello,
ossec-rootcheck: System audit file not configured.
What am i missing? I've installed ossec-hids and ossec-hids-client
rpms on client sid
hi all.
does ossec support rootkit detection in windows or not? i'm surprised
when i checked my windows agent ossec.conf and didn't find any setting
for directory of rootkit_files or rootkit_trojans.
is there rootkit detection ability for linux operating systems, not
windows?
hi
this scenario working well ,you have to redirect the port.
on openbsd 4.8 you can do this like.
match in on wan_if proto tcp from any to (wan_if) port 1514 rdr-to
ossec-server port 1514
the (wan_if) is an option for the fw code to read the ip direct frrom
interface.
on linux for exampl
Hello,
ossec-rootcheck: System audit file not configured.
What am i missing? I've installed ossec-hids and ossec-hids-client
rpms on client side. Added new agent on server side, then imported
client key on agent side and restarted. Still getting this:
ossec-rootcheck: System audit file not config
36 matches
Mail list logo